How far are we willing to go to achieve cyber security?

With every high-profile data breach and emerging global terrorist threat, public discourse on cyber security becomes increasingly polarized and unproductive. At a time of understandably heightened concerns over potential terrorist attacks, many governments view control of and visibility into citizens’ communications as a key prerequisite to preventing extremism, domestically and internationally. The only publicly discussed means to achieving that, though, is a backdoor into encryption technology, designed to protect digital communications. While having access on the backend of countless networks will enable mostly unobstructed data access, the question is to what extent would this capability compromise the government’s own ability to secure its citizens?

As the Web continues to grow, it is adding an unprecedented number of devices constantly engaged in information sharing – some more sensitive than the rest, with most data still transmitted in the clear. Increased connectivity has facilitated the rapid growth of attacks aimed to steal valuable personal, business and government data. The only defense for data in transit is encryption, properly implemented to ensure information is only accessible by the intended recipient. Often unnoticed, encryption secures countless core applications – from satellite and power control systems to air traffic communications and stock exchange transactions. It literally is the first line of defense for information we deem sensitive or proprietary.

ADVERTISEMENT
As a thought experiment, let’s play out the backdoor scenario to its logical end. Companies developing technology for banking, medicine, and the auto industry are now required to introduce a US government-mandated backdoor in their systems. The government is entrusted to safeguard the decryption keys that access information networks. Law enforcement agencies still have to obtain a warrant or perhaps a FISA court order to decrypt the data. However, unless government systems undergo a seismic security overhaul, the key repository will be breached sooner rather than later, as countless other databases have been, with OPM alone leaking over 20 million of sensitive background check records.

Following the U.S. precedent, the Chinese government, with a different set of national security targets and interests – potentially including dissidents and foreign companies – will ask for similar access to encrypted data. Others will follow suit. Most technology companies, including U.S.–based enterprises, are global players, and will face a choice – comply with national laws to continue to operate internationally or risk losing a hard-earned share in Chinese, French and UK markets.

A capability that was sought by one or two governments as a defense against terrorism now becomes a liability exploited by other nations for offensive operations against U.S. economic or national security interests. Of course, with vulnerabilities mandatorily built into networks, criminal hacks will become even easier to carry out. To defend business IP and customer data, the private sector will be left to rely on protecting windows, garage doors and the chimney, while the backdoor into their systems is wide open to criminal breaches, often supported by foreign interests.

It is time to shift the focus from seeking special access to serve political needs to keeping the Web safe for all its beneficiaries – governments, businesses or citizens. Because when the Web is not secure, it is not secure for all.

Developing an effective global approach must address technology and policy at both levels –government and private sector.

At the international level, the challenge lies in bringing everyone to the table to develop a set of unified rules for what we can and cannot do to advance national interests on the Web. Clearly, it will take time, diplomatic craftsmanship, and commitment to truly understand the technology in question. What we can do today is begin designing bilateral and multilateral agreements with our closest allies, including the private industry, to join forces to secure the global digital space.

Building a working model for domestic and international threat information sharing is a good first step in preempting and investigating attacks that may compromise critical information systems. It requires cooperation between the government and private companies whose networks may be targeted by state and non-state actors. However, since the government has not maintained a particularly impeccable information security track record, industry is legitimately concerned about sharing critical data potentially containing sensitive business and user information with a partner that cannot guarantee its protection. If we are serious about bringing technology companies to the table to jointly counter criminal intrusion threats, it is time for significant improvement of government security practices, including wide adoption of encryption across the board.

For its part, the private sector has built unprecedented collections of information – a rich target for criminal hackers and nation states. The cost of largely inevitable security breaches is only going to grow as more information is mined for monetization. In the short term, we, as an industry, need to carefully assess and improve our capability to secure data and refrain from collecting information we cannot protect.

It is in companies’ economic interest to establish a policy of transparency about data collection and enable users to opt out of repositories that retain personally identifiable data. The idea of having greater control of our personal information is fundamental for the development of digital economy. Although potentially expensive, it must become a long-term goal for the industry to rethink our business strategies around data collection, similar to the car industry lowering emission and fuel consumption levels, which once was considered impossible.

Since the inception of the internet, we have come a long way in improving its security and expanding its benefits. Last year, 29 percent of the North American traffic, including communications and banking, was protected by encryption of various degrees of sophistication. That number has been steadily growing, recorded at 2.29 percent in 2013. To collectively build up the Web’s resilience to global security challenges, its stakeholders – nation states, technology companies and citizens – must realize that even though we may have different goals related to the internet, the means to achieve those goals are rooted in a fundamental question: how do we keep it safe? Because when the Web is safe, it is safe for all.

Louie is co-founder and partner with Alsop Louie Partners, a venture firm based in San Francisco. He serves as a member of the Markle Foundation Task Force on National Security in the Information Age, as a member of the Technical Advisory Group for the United States Senate Select Committee on Intelligence, and chairs the committee on Persistent Forecasting of Disruptive Technologies for the National Academies.

Sell is co-founder of Wickr Foundation and co-chair and co-founder of Wickr Inc., a secure communications platform providing end-to-end encryption to users in over 190 countries.

More in Technology

A bridge too far: why Delta rockets aren't the answer for DoD launches

Read more »